The present invention relates generally to information analysis and screening using a computer, and, specifically, to configurations and methods for intercepting and removing computer viruses and worms from transmitted media.
With the rising popularity of the Internet, there are now millions of users connecting to the Internet daily from their host computers to conduct e-commerce transactions, perform searches for information and/or download executable programs to enhance the capability and performance of their own host computers. The interaction between these users and the other host servers on the Internet generally involves the transfer of some amount of data, which may include both static displayable information and executable computer code. Generally speaking, static displayable information refers to static information to be displayed at the host computer while executable code or an “executable” refers to computer instructions configured to be executed at the host computer to perform some task.
In general, the vast majority of the downloadable data from the Internet represents useful or at least non-harmful content material. However, there exists a class of executable code that, if downloaded and executed at host computers, may wreak havoc with the operating system, the hardware, and/or other software of the host computers. These executables include what are commonly referred to as computer viruses and/or worms.
A computer virus is a piece of programming code usually disguised as something else that causes some unexpected and usually undesirable event (for the victim). Viruses are often designed so that they automatically spread to other computer users across network connections. For instance, viruses can be transmitted by sending them as attachments to an e-mail message, by downloading infected programming from other web sites, and/or by importing them into a computer from a diskette or CD-ROM. The source application that deals with the e-mail message, downloaded file, or diskette is often unaware of the virus. Some viruses wreak their effect as soon as their code is executed; other viruses lie dormant until circumstances cause their code to be executed by the computer. Some viruses can be quite harmful, causing a hard disk to require reformatting or clogging networks with unnecessary traffic.
Computer worms are very similar to viruses in that a worm is a small piece of software that uses computer networks and security holes to replicate itself. A copy of the worm scans the network for another machine that has a specific security hole. Once the security hole has been found, the worm copies itself to the new machine using the security hole, and then uses the newly infected computer to start replicating itself in order to infect other computers connected thereto. Although a worm does not alter files but resides in active memory and duplicates itself, the worm uses parts of an operating system that are automatic and usually invisible to the user. Therefore, it is common for worms to be noticed only when their uncontrolled replication consumes system resources, slowing or halting other tasks.
To combat worms, users and administrators of computer networks (such as corporate local area networks or wide area networks) have long employed a variety of tools designed to detect and block worms from infecting a computer system. In a corporate local area network (LAN), for example, network administrators may employ proxy servers (which are disposed between the host computers of the LAN and the Internet) as well as individual computers to perform any of a number of defense strategies designed to prevent infection by a worm. One such defense strategy relies upon behavioral monitoring of computer actions. In behavioral monitoring, a historical database of actions taken by every computer is maintained that is then used by a monitoring program (heuristic engine) to compare to current actions taken by a particular computer. In those cases where current actions are deemed by the behavior monitoring program to be substantially different from the historical norm, the behavioral monitoring program flags that particular computer as being possibly infected by a worm. Once so flagged, appropriate actions can be taken.
In day-to-day efforts against computer viruses and other terminal device viruses, an end user is constantly looking for ways to inoculate against such viruses. Even in the case of corporate networks that are closely guarded by an anti-virus firewall and various other virus protection software and protocols, some viruses still manage to penetrate and infect the network resulting in substantial harm since conventional anti-virus technology generally relies on already identified viruses. In particular, conventional anti-virus protection is usually effective against known computer viruses, but may be ineffective in blocking unknown viruses. Therefore, terminal devices such as computers connected to a local area network (LAN) or wide area network (WAN) are generally unable to include effective anti-virus protection against unknown viruses using conventional anti-virus software.
When the terminal device or computer connected to a network is subject to attack by an unknown virus penetrating into the network, it is the responsibility of network managers to guard against such attacks and the restore the network to normal operating status as quickly as possible. The level of preparedness in a network is dependent upon knowing the probability of a virus to successfully penetrate the corporate network.
Intrusion Detection System (IDS) products neutralize the network-type attacks by scanning for abnormal network packets at protocols layers, including a method called Application Behavior Monitoring (ABM) at the host base IDS. ABM keeps track of behavioral patterns of target applications and protects the network system by allowing the benign (known) behavior patterns by disallowing or blocking and the unknown or malign ones.
Conventional anti-virus software sets a particular alert level to early detection of virus outbreaks for system administrators of network systems. The setting of the alert level becomes very important. If the alert level is set too low, it may invite an erroneous determination of a computer virus such that benign applications are deemed viral by mistake. If the alert level is set too high, certain computer viruses will be undetected and allowed into the network.
Conventional anti-virus software still relies on the support system at the anti-virus service provider to generate cures. Such practice is heavily reliant on the response time at the service provider in procuring the virus sample, implementing the virus analysis, generating the appropriate cures, and deploying them to the end users. Though such support systems may be effective at certain levels, certain end users (such as system administrators of corporate networks) still require solutions that provide better lead time and effectiveness in countering sudden outbreaks of computer viruses.
There is thus a general need in the art for a network level anti-virus method and system overcoming at least the aforementioned shortcomings in the art. In general, there is a need in the art for an anti-virus method and system having multilevel anti-virus functions for anticipating and detecting computer virus outbreaks. In particular there is a need for a system and method that provides inoculation against virus and/or worm infection.